Welcome to WebmasterWorld Guest from 54.145.53.251

Forum Moderators: phranque

Message Too Old, No Replies

What's this in my logs.

union+all+select appends to URLs

     
9:00 am on Oct 12, 2013 (gmt 0)

New User

5+ Year Member

joined:July 10, 2009
posts: 4
votes: 0


I had a recurring hacker on my site that was modifying the .htaccess file to include pharma links for search engine bots. I've since solved that problem by ditching Joomla (although I stress to add it was probably a dodgy Joomla extension rather than Joomla itself).

However I'm still curious to find out how they did it and whether they are still trying. Looking at my raw logs the one thing that really stands out is multiple attempts to load my listings.php script with and awful lot of code added to the query string. It happens hundreds of times in the logs, starting with an innocent looking:

GET /listing.php?id=10749 HTTP/1.1


- which is a valid request, but then shortly after that turns into:

GET /listing.php?id=10749%27+and+%27x%27%3D%27y HTTP/1.1


and then several hits later it can be:

GET /listing.php?id=999999.9+%2F*%2130000union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C
0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C
0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C
0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536*%2F-- HTTP/1.1


What I'm trying to figure out is what are they trying to do? SQL injection attack? Or is this possibly related to the previous attach on .htaccess?

The knowledge of my peers would be appreciated,

Thanks,

Xandir

[edited by: phranque at 11:06 am (utc) on Oct 12, 2013]
[edit reason] fix sidescroll [/edit]

10:30 am on Oct 12, 2013 (gmt 0)

Full Member

5+ Year Member

joined:Aug 16, 2010
posts:214
votes: 11


If you decode the first url you get:

10749' and 'x'='y

So it looks like a SQL injection but normally a hacker would use the OR function and not the AND...
7:34 pm on Oct 12, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2002
posts:18903
votes: 0


You can and should add rules that simply block requests like these.
8:28 pm on Oct 12, 2013 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month

joined:Apr 9, 2011
posts:12702
votes: 244


I'm still curious to find out how they did it and whether they are still trying.

The format of the request doesn't matter. The absolutely VITAL question is: how did they get into your htaccess, and what did you do to ensure nobody can ever do it again? Do you trust your host?

phranque, I hope you appreciate that your browser window is at least twice as wide as mine :(